[00:01.550 --> 00:05.270]  Hello, everyone, and welcome to Trust but Verify,
[00:05.270 --> 00:08.930]  Maintaining Democracy in Spite of Information Countermeasures.
[00:09.910 --> 00:16.190]  My name is Allie Mellon. I'm a security strategist in the office of the CISO at Cyber Reason.
[00:16.190 --> 00:20.330]  A little bit about me, I'm a computer engineer at heart.
[00:20.350 --> 00:25.290]  I've been in various engineering and development roles for the past 10 years.
[00:25.690 --> 00:30.810]  Previous security researcher and now security strategist at Cyber Reason.
[00:30.830 --> 00:36.610]  I am a frequent presenter on different topics, including election security.
[00:37.210 --> 00:42.170]  And before we jump into the voting aspects of this talk,
[00:42.170 --> 00:47.850]  what I really want to talk about is something very important and related,
[00:47.850 --> 00:52.750]  which is what is truly critical to our daily life?
[00:52.790 --> 00:58.810]  And the way that I immediately think about this is through Maslow's hierarchy of needs.
[00:59.450 --> 01:04.570]  At the base of Maslow's hierarchy of needs, you have the physiological needs,
[01:04.570 --> 01:09.130]  things like air, water, and food. It's critical to daily life.
[01:09.210 --> 01:13.650]  At the next level, you have things like personal security, employment,
[01:13.650 --> 01:18.910]  resources, these things that are a complete requirement if you're going to continue to survive.
[01:20.030 --> 01:25.470]  And then you get into the more psychological side of things with things like belonging.
[01:25.470 --> 01:33.630]  The majority of first world countries, we have safety and the physiological needs relatively
[01:33.630 --> 01:39.570]  covered. But once you get to this level of belonging and that psychological element,
[01:39.570 --> 01:45.130]  you start to get into something that I think a lot of people are under constant development with.
[01:45.130 --> 01:48.890]  And it's not a given that you're going to have these things just because you're in a
[01:48.890 --> 01:56.290]  first world country. Similarly, esteem, things like respect, self-esteem, status. These are
[01:56.290 --> 02:02.950]  things that you need on this path towards what is ultimately self-actualization and the desire
[02:02.950 --> 02:09.410]  to become the most one can be. And you can be taking steps at each of these levels. But the
[02:09.410 --> 02:15.550]  idea is that in order to reach the top of the pyramid, you need to have all of these different
[02:15.550 --> 02:22.950]  levels met. So the reason that I talk about this is because I think that it plays an important role
[02:22.950 --> 02:29.550]  in voting and in election security as well. And it raises the question of where does voting fit
[02:29.550 --> 02:40.110]  into this? Now, a little bit of background. The original, the start of this idea came from
[02:40.330 --> 02:45.470]  a series of exercises we did at Cyber Reason called Operation Blackout Protect the Vote,
[02:45.470 --> 02:52.010]  where we worked with local and federal law enforcement officers to host tabletop exercises,
[02:52.010 --> 02:56.910]  where we had one red team of hackers and cybersecurity experts and a blue team of
[02:56.910 --> 03:03.370]  local and federal law enforcement from DHS, FBI, and the Secret Service. And then we also had a
[03:03.370 --> 03:09.030]  white team set up for adjudication. And it was basically a turn-based tabletop exercise
[03:09.030 --> 03:18.610]  so that we could ultimately identify gaps in law enforcement's ability to protect Election Day
[03:18.610 --> 03:26.650]  with a fictional country known as Adversaria. And we actually held these exercises in Washington,
[03:26.650 --> 03:34.450]  D.C., in Boston, in San Francisco, in London, in Tel Aviv, and Paris. And what we learned from them
[03:34.450 --> 03:40.330]  is that even when you're not actually hacking, even when this is just a thought experiment,
[03:40.330 --> 03:44.510]  you can see a lot of potential for different ways to attack an election
[03:44.510 --> 03:49.350]  that isn't just limited to those voting machines. And so that's what I'm going to be talking about
[03:49.350 --> 03:54.450]  today. We're going to start with the defender perspective and really getting into the daily
[03:54.450 --> 04:00.110]  life of a voter before jumping into the attacker perspective. And then we're going to start
[04:00.110 --> 04:05.110]  brainstorming what you could do to stop an election in order to understand better how we
[04:05.110 --> 04:10.470]  can actually defend it. And so throughout this talk, I want you guys to be brainstorming and
[04:10.470 --> 04:16.830]  thinking about the different things that you would do to stop an election or to cause chaos
[04:16.830 --> 04:23.050]  during an election day. So let's jump into the defender perspective.
[04:24.830 --> 04:31.410]  According to the DHS, election infrastructure includes things like voter registration databases,
[04:31.410 --> 04:37.450]  IT infrastructure, voting systems, storage facilities, and polling places. Okay, this is
[04:37.450 --> 04:42.150]  very classical definition, totally understandable. These are all the things that have to do with
[04:42.150 --> 04:48.930]  actually submitting your vote. But I don't think that that's all that we need to consider.
[04:48.990 --> 04:53.030]  I think that there's a lot more that we need to consider before the voter is actually able
[04:53.030 --> 04:59.130]  to go to the polling place and put in their ballot. And the way that I like to talk about
[04:59.130 --> 05:05.020]  this is through the voter hierarchy of needs. These are, much like Maslow's hierarchy,
[05:05.630 --> 05:12.690]  a set of different things that voters need before they're actually comfortable going out to vote.
[05:14.110 --> 05:19.350]  We can see the parallels with Maslow's hierarchy of needs with things like
[05:19.350 --> 05:25.290]  the physiological needs. Life and death, very important. Property, having a place to live,
[05:25.290 --> 05:31.890]  having a place to do your daily activities. Those things are automatically going to come before
[05:31.890 --> 05:37.050]  voting. If you are afraid for your life, you're probably not going to take the time to vote.
[05:37.050 --> 05:42.090]  For those who do, it's going to be much less than it would if they weren't afraid for their lives.
[05:43.150 --> 05:49.470]  And that also plays into the safety concept, but it can be extended to things like family health
[05:49.470 --> 05:57.950]  or job safety, financial security. People, when they don't feel financially secure,
[05:57.950 --> 06:02.930]  are they going to want to spend the extra money to get to the polling place? Some will not.
[06:04.050 --> 06:09.330]  And then also that belonging aspect. If you don't feel like you're a part of a country,
[06:09.410 --> 06:14.310]  a part of a culture, you're not going to want to contribute to it by giving back your vote.
[06:15.910 --> 06:21.370]  And then esteem, feeling like your vote matters, feeling like you matter in the grand scheme of
[06:21.370 --> 06:25.930]  things, feeling like it's worth it to vote because you think that you're making something a better
[06:25.930 --> 06:35.170]  place. And then, of course, being all that you can be and really being able to feel good about that
[06:35.850 --> 06:40.870]  as you move forward and also feel good about your voting and that contributing to your country being
[06:40.870 --> 06:47.450]  the best that it can be. So this is how I like to talk about the voter hierarchy of needs and
[06:47.450 --> 06:52.670]  all of the levels that we have to consider as different places that can be attacked.
[06:52.950 --> 06:58.410]  And that's why I question if election infrastructure is really just limited to the
[06:58.410 --> 07:03.670]  ways that you submit your ballots. And I think it's important to say that I'm not suggesting that
[07:04.310 --> 07:10.090]  election commissions need to control all of these levels, but they need to be considered
[07:10.090 --> 07:15.100]  as we look to secure our elections and protect our democracy.
[07:16.910 --> 07:21.550]  Because these systems that we've identified that we need to protect
[07:21.550 --> 07:29.590]  are also systems that can become a target. And you might think that this would be a small
[07:29.590 --> 07:35.950]  impact on an election, but take the United States, where 40% of eligible U.S. citizens
[07:35.950 --> 07:42.090]  do not vote at all, and any kind of voter suppression will have an impact on the election.
[07:44.210 --> 07:49.170]  So when we're thinking about election security and election infrastructure,
[07:49.170 --> 07:55.050]  we need to think about things that relate to voter suppression and faith in the government.
[07:55.530 --> 08:02.590]  There are ways to influence an election outside of attacking the actual polling places.
[08:04.330 --> 08:08.850]  So let's jump into the attacker perspective and talk about a more historical approach
[08:08.850 --> 08:13.170]  and modern day what we're seeing, as well as motivations and things like that.
[08:13.890 --> 08:21.270]  So on the motivation side, these nation-state attackers, they're looking to either gain power,
[08:21.510 --> 08:26.210]  a particular ideology, or maintain global recognition and support. And for any of you
[08:26.210 --> 08:31.410]  who were able to attend some of the Black Hat keynotes, we saw this as a common thread.
[08:31.870 --> 08:38.850]  These countries are looking to make sure that their particular belief system is spread across
[08:38.850 --> 08:44.730]  the world, that they maintain their status as a superpower, whatever the case may be,
[08:44.730 --> 08:47.190]  or that they get to the point of a superpower.
[08:48.970 --> 08:53.030]  And when I'm thinking about the different types of attacks, the different types of cyber attacks
[08:53.030 --> 09:00.850]  that we can see, I like to use a way of describing it that our CISO Sam Curry talks about, which is
[09:00.850 --> 09:05.850]  three different layers. The infrastructure layer, the information layer, and the ethos layer.
[09:05.850 --> 09:16.950]  The infrastructure layer, that's that physical objects like the electric grid, things like that,
[09:16.950 --> 09:22.750]  misinformation or disinformation. And the ethos layer, that's all about the core belief system of
[09:22.750 --> 09:29.010]  the country. So we're going to start with that belief system and delve into some historical
[09:29.010 --> 09:34.030]  examples, and then get to some modern day examples that incorporate a lot more of the
[09:34.030 --> 09:40.030]  cybersecurity aspect. The historical examples don't as much, however, they give us a really
[09:40.030 --> 09:45.450]  good baseline to understand that this is not a new problem, and that the way that we're seeing
[09:45.450 --> 09:53.070]  people do it digitally is just a new approach to that problem. So let's take the Italian elections
[09:53.070 --> 10:00.210]  of 1948. At the time, it was right after World War II, the U.S. government was intent on
[10:00.210 --> 10:05.530]  psychological warfare. They were obsessed with spreading democracy, and they were putting
[10:05.530 --> 10:11.390]  millions of dollars towards Christian, Democratic, and right-wing socialist parties. In effect,
[10:11.390 --> 10:16.520]  they were spreading a massive propaganda campaign against communist socialist coalitions.
[10:17.010 --> 10:23.210]  And the goal was to change the perception in that election specifically to a conversation about
[10:23.210 --> 10:30.870]  democracy versus totalitarianism, Christianity versus atheism, America versus the Soviet Union,
[10:30.870 --> 10:37.870]  and of course, abundance versus starvation, trying to draw that contrast. And they ended up
[10:37.870 --> 10:44.170]  successfully swaying the votes in the election. And so they repeated that process in places like
[10:44.170 --> 10:53.830]  Guatemala, in South Vietnam, in Afghanistan, and Indonesia, as well as many, many more.
[10:54.150 --> 10:58.730]  And this was without having the digital component at all, without having to do any hacking.
[10:59.150 --> 11:04.170]  But it was the start of something that we're seeing take shape even more now.
[11:05.050 --> 11:13.310]  Another example. Moscow founded the communist international group Comintern in 1919, and they
[11:13.310 --> 11:20.350]  urged the American Communist Party to pursue revolutionary regime change. This was very
[11:20.350 --> 11:26.610]  similar to democracy promotion, which was, again, later pursued by Washington, all with the purpose
[11:26.610 --> 11:37.470]  of spreading their point of view within America. And of course, the 1996 Chinese influence on the
[11:37.470 --> 11:44.850]  U.S. election, where a Chinese general sent $300,000 to influence a U.S. presidential election
[11:44.850 --> 11:52.950]  by funneling money to the Clinton campaign. So let's look at the cyber equivalent of these
[11:52.950 --> 11:59.870]  things that's happening right now, and has been happening for some time. A good example of this
[11:59.870 --> 12:07.930]  is social media attacks. So on the left, you can see this ad, which is meant to persuade voters to
[12:07.930 --> 12:15.610]  vote ahead by voting from home, and saying that you can text Hillary to a certain number to vote,
[12:15.610 --> 12:21.110]  which is obviously not true. But especially right now, it might be something that people would
[12:21.910 --> 12:28.390]  find really appealing, not having to worry about any mail-in voting, just having to text a name to
[12:28.510 --> 12:36.760]  a certain number. But of course, it doesn't work. So that's kind of a double-edged attack, because
[12:36.760 --> 12:43.380]  it's not just targeting that belief system, and that belief in your government, and their ability
[12:43.380 --> 12:48.120]  to actually protect you from these types of things, but it's also targeting that information
[12:48.120 --> 12:52.840]  layer, and making it so that your vote doesn't actually count, even though you think that it did.
[12:52.860 --> 12:58.820]  And then on the right-hand side, you can see an advertisement, also not from someone in the U.S.,
[12:59.760 --> 13:07.260]  but aimed at highlighting divisions within the U.S., and also creating them, depending on the case.
[13:09.320 --> 13:17.680]  And an important part of this talk is recognizing that there are other organizations than the
[13:17.680 --> 13:26.160]  government that have a role in election security, even if they choose not to. And
[13:26.700 --> 13:31.820]  that through actions that certain social media organizations have taken,
[13:32.460 --> 13:41.580]  they have set up governments to spread this type of attack more easily. And that's not to say that
[13:41.580 --> 13:46.880]  these organizations should be controlled, or anything like that, but to some extent,
[13:46.880 --> 13:53.560]  they do have a responsibility as American citizens, as people in the United States,
[13:53.560 --> 14:00.820]  to consider this, and to consider the implications of these types of attacks, and to try to build a
[14:02.180 --> 14:08.780]  stronger foundation for democracy within their own organizations. So now let's look at the
[14:08.780 --> 14:15.620]  information plane. And remember, this is all of the communication. This is where we get into the
[14:15.620 --> 14:22.060]  real misinformation and disinformation. And I want to start with a really baffling example
[14:22.780 --> 14:30.000]  that highlights that, you know, this is not a new thing. And as much as we are recognizing
[14:30.000 --> 14:35.840]  disinformation and misinformation right now in American culture, America was really founded on
[14:35.840 --> 14:41.240]  this. It was founded on the premise of a conspiracy theory where the British were trying
[14:41.240 --> 14:47.540]  to enslave us. Sam Adams argued that Britain's taxations before the Revolutionary War were part
[14:47.540 --> 14:54.800]  of an elaborate conspiracy to eventually enslave American colonists. He actually spread that and
[14:54.800 --> 15:01.180]  other early disinformation through pamphlets and speeches that he would hand out that contained
[15:01.180 --> 15:08.620]  information that he knew was not true. And he used the Boston Massacre as a tool in order to
[15:08.620 --> 15:15.280]  continue to spread that disinformation and to continue to cause chaos within America leading
[15:15.280 --> 15:23.500]  to the American Revolution. So we have this foundation in the U.S., for those of you who
[15:23.500 --> 15:30.120]  are from the U.S., of disinformation and of misinformation from our very earliest days.
[15:32.120 --> 15:39.180]  And then, of course, you can consider things like the CIA and the infamous propaganda asset inventory.
[15:39.180 --> 15:48.700]  During the Cold War era in the 1950s and 60s, the CIA had a huge number of radio stations
[15:48.700 --> 15:56.840]  and newspapers and magazines across the globe that they were using to push the United States
[15:56.840 --> 16:05.480]  agenda. In one very interesting instance, they had control of a program called Radio Free Asia,
[16:06.290 --> 16:14.580]  but they realized that the average Taiwanese person, individual, would not actually have a radio.
[16:14.580 --> 16:20.470]  So they strapped small radios to balloons and sent them flying to try and get them to Taiwan.
[16:21.040 --> 16:25.520]  Needless to say, the wind took them in the wrong direction, but the idea was very interesting
[16:25.520 --> 16:35.320]  nonetheless. In another interesting little tidbit, they had control of a magazine, but
[16:36.080 --> 16:40.820]  the magazine became so popular that it was actually also began being distributed to the
[16:40.820 --> 16:45.000]  United States. And so they had to be very careful to only put the propaganda in the
[16:45.000 --> 16:54.880]  ones that were not going to the U.S. Similarly, in the 50s, 60s, and 70s, left-wing newspapers
[16:54.880 --> 17:00.680]  in Europe were pretty much all financed directly from Moscow, pushing Moscow's agenda.
[17:01.880 --> 17:08.840]  And then the U.S. radio, also in Moscow, which would play rock music like Elton John and the
[17:08.840 --> 17:14.880]  Beatles that they couldn't get anywhere else, but it was always followed by short segments of what
[17:14.880 --> 17:19.940]  they called editorial content, which Soviet authorities considered disinformation, which
[17:19.940 --> 17:28.180]  was giving that American perspective. One that's more focused on the cyber realm is the
[17:28.180 --> 17:36.900]  2014 Ukraine elections. On May 21st of 2014, attackers compromised the CEC network and
[17:36.900 --> 17:42.820]  actually disabled the vote counting. Now, this would automatically attack that ethos layer,
[17:42.820 --> 17:46.720]  and you start to lose faith in your government to actually be able to accurately count your
[17:46.720 --> 17:52.040]  votes and the validity of the election. But then they managed to get it back up after,
[17:52.040 --> 17:57.020]  I think, like 12 hours. And four days later was the actual election day.
[17:57.740 --> 18:08.260]  At the time, the same CEC website was under constant DDoS attack. And 12 minutes before
[18:08.260 --> 18:13.160]  the polls closed, attackers actually posted a picture of a former leader to the right sector
[18:13.160 --> 18:18.960]  on the CEC website claiming he won the election. What's really interesting about this is it was
[18:18.960 --> 18:26.880]  immediately shared by Russian media. Almost as if it was coordinated. Almost.
[18:28.740 --> 18:36.220]  And let's also look at the communication plane. This is very interesting, and it really makes it
[18:36.220 --> 18:43.140]  so that people are confused about what to do, where to go. It's a direct line to the voters.
[18:44.140 --> 18:49.480]  And here are two examples of that. On the left, you have an example of a text that is supposedly
[18:49.480 --> 18:54.720]  from President Trump shaming someone into voting, saying your ballot hasn't been submitted,
[18:54.720 --> 18:59.960]  what are you still doing? In reality, this is not from the campaign, this is not from Trump.
[19:00.400 --> 19:06.240]  And they would not be able to track this type of information. But they even got an interesting URL,
[19:06.240 --> 19:12.760]  vote.gop. And then on the right-hand side, you can see an example that's supposed to be a very
[19:12.760 --> 19:20.160]  helpful message from the government telling you your polling location and what the hours are and
[19:20.160 --> 19:25.660]  where to go. In reality, that's not a real polling location. That's someone sending a message that
[19:25.660 --> 19:32.240]  purports to be from the government as a helpful reminder to go vote, when in reality, there's
[19:32.240 --> 19:38.340]  nothing there and the voter will go, get there, and not be able to vote. And at that point,
[19:38.340 --> 19:44.780]  you're either one, late for work if you go into work, or two, you're frustrated and less likely
[19:44.780 --> 19:53.010]  to vote. Now let's look at the infrastructure plane. And this one is really interesting
[19:53.010 --> 19:57.870]  because it's that physical layer, which I think that a lot of times, especially more broadly,
[19:57.870 --> 20:04.150]  we don't think about or more broadly, I mean, the world instead of just the cybersecurity community
[20:04.150 --> 20:09.030]  doesn't think of cyber attacks in this infrastructure plane as much. And we're
[20:09.030 --> 20:15.010]  going to go back to those historical examples that don't incorporate a cybersecurity component,
[20:15.010 --> 20:20.210]  but lay the groundwork for where this can go in the future. Starting with the assassination of
[20:20.210 --> 20:30.210]  Lumumba. In 1960, the Democratic Republic of Congo gained its independence. And Lumumba was the
[20:30.210 --> 20:37.410]  prime minister of the DRC. He was also elected that year. And then he was subsequently assassinated
[20:37.410 --> 20:45.430]  one year later in 1961. Now, this was immediately politically fracturing for this very, very new
[20:45.430 --> 20:52.690]  independent nation. And it turns out that the groups behind it were American and Belgian.
[20:52.690 --> 20:57.890]  And they were actually from the US government and the Belgian government. And they had worked
[20:57.890 --> 21:02.930]  together to plan this assassination. And this is the type of thing that can really
[21:03.850 --> 21:11.290]  be destructive to such a new nation. It would be the equivalent in the US is George Washington
[21:11.290 --> 21:17.690]  being assassinated a year after American independence, which would have, who would have,
[21:17.690 --> 21:26.530]  who knows what would have happened in that instance. And then there's also the 1965
[21:27.110 --> 21:33.570]  Indonesian elections and subsequent massacre. The Communist Party finished fourth in an
[21:33.570 --> 21:39.670]  Indonesian elections, and they were offered a proportional representation in the government.
[21:40.510 --> 21:48.530]  Now, this was not aligned to US interests, needless to say. And for fear of how this would
[21:48.530 --> 21:55.910]  impact US interests in the region, the US secretly supported the purge of suspected communists,
[21:55.910 --> 22:01.050]  causing thousands to millions, they're not entirely sure how many, to die over the course
[22:01.050 --> 22:08.370]  of months. And the military took over as the most powerful institution. So this is not only direct
[22:08.370 --> 22:16.670]  impact, because they have supported and pushed for the death and the massacre of these many,
[22:16.670 --> 22:23.530]  many people. But it's also something that I deeply believe would terrify the public,
[22:23.530 --> 22:28.870]  who is going to be voting and speaking about their beliefs freely after this type of thing
[22:28.870 --> 22:37.680]  happens in their country. And now this one isn't an example of election day, but it's a good
[22:37.680 --> 22:43.500]  representation, again, and it does involve that cyber component. So the Bronze Night in Estonia
[22:43.500 --> 22:50.480]  in 2007, this was really a combination of an infrastructure attack and an information attack.
[22:51.080 --> 22:58.660]  In 2007, Estonians made the decision to move a Red Army soldier statue to a Soviet cemetery,
[22:58.660 --> 23:03.380]  because needless to say, they did not want a Red Army soldier in the middle of their country.
[23:04.180 --> 23:11.540]  Not exactly a fan favorite there. So the night that it was being moved, fake news started to
[23:11.540 --> 23:19.000]  spread with Russian news reports claiming that the statue and the Soviet war graves were being
[23:19.000 --> 23:25.400]  destroyed. And this resulted in two nights straight of riots and looting. 156 people were
[23:25.400 --> 23:32.380]  injured, one person was left dead, and a thousand were detained. But at the exact same time,
[23:32.380 --> 23:37.640]  there were a ton of denial of service attacks going on inside Estonia across banks, media
[23:37.640 --> 23:43.800]  outlets, governments, cash machines, things like online banking was out of service, government
[23:43.800 --> 23:49.320]  employees couldn't communicate over email, and newspapers and broadcasters couldn't deliver
[23:49.320 --> 23:55.900]  the news. So all they were left with was the Russian news reports that were spreading this
[23:55.900 --> 24:05.640]  fake news. And this quote, I really like this quote, because it talks a little bit about this
[24:05.640 --> 24:15.720]  with, in all of these historical examples, these campaigns were done covertly. And cyber aggression
[24:15.720 --> 24:24.100]  really gives us the ability to have these type of campaigns very covertly. And it leaves us
[24:24.100 --> 24:31.440]  really vulnerable to these types of attacks, and to really sowing chaos internally in the country,
[24:31.440 --> 24:36.420]  with people believing conspiracy theories about the situation, with people not knowing what's true
[24:36.420 --> 24:42.180]  and what isn't. And that's why I think it's so scary, the potential, not just on the misinformation
[24:42.180 --> 24:48.080]  and disinformation side, but also on that belief system layer, and even that infrastructure layer.
[24:50.900 --> 24:59.120]  So some examples of things that we talked about during these tabletop exercises that I think
[24:59.640 --> 25:06.540]  could have a huge impact on election day come to things like the electric grid. So in 2003,
[25:06.680 --> 25:11.740]  a four-day power outage left at least 100 people in the United States and Canada dead.
[25:12.460 --> 25:20.220]  Now imagine there's a power outage on election day, and you have yet to leave your house. Are
[25:20.220 --> 25:24.560]  you going to be worried about voting? Or are you going to be worried about making sure that whatever's
[25:25.180 --> 25:31.000]  in your fridge doesn't go bad? Are you going to be worried about your family? Maybe you know
[25:31.000 --> 25:39.760]  someone who needs the type of care that requires electricity to be available? There are a lot of
[25:39.760 --> 25:44.820]  factors here that will immediately, just like with those voter hierarchy of needs, that will
[25:44.820 --> 25:50.040]  immediately come before you're actually willing to vote when something sporadic happens, like losing
[25:50.040 --> 26:01.720]  power. And we're also going to talk about transit. So in 2016, San Francisco's transit system was
[26:01.720 --> 26:09.680]  infected with ransomware. Now imagine a scenario, a lot of people go to vote after work. So you
[26:09.680 --> 26:17.220]  go to work, you spend your day on Twitter, probably seeing some disinformation. You get
[26:17.220 --> 26:22.460]  to the end of the day, you've taken the train into work, and you go to take the train to the polling
[26:22.460 --> 26:28.580]  station and then back home, and it's down. And you can't access it. Are you going to be thinking about
[26:28.580 --> 26:32.580]  voting now? Or are you going to be thinking about how you're going to get home and potentially being
[26:32.700 --> 26:42.340]  a little annoyed that the train is down? So we can see that these attacks go across layers,
[26:42.340 --> 26:48.880]  but also across all the layers of the pyramid. And they're just a few examples. There are way
[26:48.880 --> 26:56.340]  more that we can look at through our own tabletop exercises. So let's jump back into the defender
[26:56.340 --> 27:02.280]  perspective before we really get to that brainstorming part. Where does this leave us?
[27:02.800 --> 27:10.340]  We have this small view of election security, just with voter registration, just with databases,
[27:10.340 --> 27:17.140]  IT infrastructure, things like that. And we end up with quotes like these from
[27:18.180 --> 27:23.440]  leaders in different countries. We cannot exclude such activities in Germany either.
[27:23.440 --> 27:28.200]  In the election campaign, we'll also have to confront distortions and fake stories.
[27:28.200 --> 27:33.000]  Now, it's great that they're being honest about it, but where does this leave a citizen
[27:33.000 --> 27:39.560]  when knowing what's fake, what's real? When knowing how to actually combat this?
[27:40.480 --> 27:46.740]  Similarly, we have representatives saying that people are trying to steal another election,
[27:46.740 --> 27:50.840]  that it's all rigged, that it's a scam, pushing this same narrative
[27:51.520 --> 27:56.140]  that these countries want other countries to believe in.
[27:57.520 --> 28:02.460]  And then, of course, just from a couple of weeks ago, congressional Democrats talking about
[28:02.460 --> 28:06.380]  how they were gravely concerned about foreign interference in an election.
[28:06.900 --> 28:11.660]  Now, I think the recognition, again, the recognition is good. It's just a matter of
[28:11.660 --> 28:17.720]  giving us the tools to combat what they're seeing that we're missing here. We're missing
[28:17.720 --> 28:26.640]  the leadership part. So where should we really be going in order to create a different reality
[28:26.640 --> 28:31.120]  for ourselves, where we have a more well-rounded view of election security, where we understand
[28:31.120 --> 28:37.340]  the problem and where we, not just the government, but also the citizens and the private sector,
[28:37.340 --> 28:45.660]  can affect change? And this is what it should look like, where we have all of those different
[28:45.660 --> 28:51.940]  aspects that are front and center, and that we're thinking about, and that we're making clear
[28:51.940 --> 28:55.040]  these are the things that are going to be under attack. These are the things that you need to
[28:55.040 --> 29:00.840]  look out for. Having that communication, because in reality, as I've mentioned before, a lot of
[29:00.840 --> 29:08.360]  these channels are not government-owned entities. A lot of them are privately held, which means that
[29:08.360 --> 29:14.840]  election security cannot just be the government's problem. It has to be something considered by the
[29:14.840 --> 29:22.720]  private sector. It has to be something that we work together as a community, as a society, to help stop.
[29:25.600 --> 29:33.040]  So I want you guys... the goal of this was, if we were in person, to do a small tabletop
[29:33.040 --> 29:40.220]  exercise together. But since we can't really do that, I want you guys to imagine how this
[29:40.220 --> 29:46.360]  scenario would go, what you would do from either perspective. And just start by thinking about,
[29:47.020 --> 29:53.100]  do you vote before work? Do you mail in your ballot? How do modern events, like the pandemic
[29:53.100 --> 29:58.220]  that we're going through right now, change all of that? Are you on Twitter? Do you fact check?
[29:58.400 --> 30:05.780]  I typically do, or would, vote before work, if we were still going into the office. I am doing a
[30:05.780 --> 30:09.800]  mail-in ballot. I think that mail-in ballots are critical right now, given the current situation,
[30:09.800 --> 30:14.540]  and because it really takes away those time-based attacks that we're seeing.
[30:15.620 --> 30:21.040]  If the day of the election you lose power, but you already voted three weeks ago,
[30:21.040 --> 30:29.120]  then you're not actually going to be part of the voter suppression problem, and it's already
[30:29.120 --> 30:33.660]  taken care of. And that's a huge positive, that's a huge benefit. Not to say that mail-in voting
[30:33.660 --> 30:40.100]  doesn't have its own issues, but that's at least a start to removing some of those time-based
[30:40.100 --> 30:46.820]  barriers. How do modern events change this? Are you considering things like mail-in voting?
[30:46.820 --> 30:52.980]  Are you on Twitter? I know a lot of us are. InfoSec Twitter is great and terrible, but it
[30:52.980 --> 30:57.580]  raises the question of, do you fact check? Are you checking the things that you see? Are you sharing
[30:57.580 --> 31:02.900]  articles without actually reading them? These are important, and they tend to get lost in the
[31:02.900 --> 31:12.260]  even though people talk about them. And then take a look at how would you attack your life of a
[31:12.260 --> 31:18.120]  voter, your typical day? What would you do that would make you stop and think, I'm going to take
[31:18.120 --> 31:25.080]  care of this problem and I'm not going to go vote today? That's what's critical. And some of the
[31:25.080 --> 31:31.540]  things that we saw in these tabletop exercises to affect an election were things like attackers
[31:32.720 --> 31:39.400]  creating deepfakes of certain candidates. And the thing is, if you release a deepfake of a candidate
[31:39.940 --> 31:45.560]  on the day of the election on that morning, there really isn't enough time for the candidate to
[31:45.560 --> 31:50.840]  react. And maybe they'll issue a statement, but the damage will have been done. And it's not
[31:50.840 --> 31:58.060]  something you can fix over the course of eight hours. So these are the types of questions like,
[31:58.060 --> 32:03.120]  how does that time-based element affect things? If you took out the electric grid exclusively in
[32:03.120 --> 32:09.320]  regions that are known to be very conservative, how would that look to people? What would they
[32:09.320 --> 32:14.300]  take away from that? Would they take away that it was just a random power outage or would they
[32:14.300 --> 32:22.800]  suspect that there was foul play from the other side? And then take those ideas and think about
[32:22.800 --> 32:29.700]  what you can do for your country instead. Because at the end of the day, as we know with red teaming,
[32:29.700 --> 32:34.560]  all of this is working towards stronger security. And that's what's important, is that we come out
[32:34.560 --> 32:39.580]  of this considering how to make security stronger, how to make election security stronger,
[32:40.020 --> 32:45.760]  the whole thing. So how do you defend? Are you involved in any of these sectors? Are you in the
[32:45.760 --> 32:50.640]  transit sector or communication sector? Do you work at a social media company? How can you affect
[32:50.640 --> 32:56.020]  change within these organizations? Because at the end of the day, we all have to do our part
[32:56.740 --> 33:07.220]  in order to protect our system. So this kind of left me with a lot of questions because it feels
[33:07.220 --> 33:13.620]  like an insurmountable problem. It's this huge, huge problem. But at the end of the day, what I
[33:13.620 --> 33:18.220]  think is the most important and what we can take away from this is the first thing is to, whether
[33:18.220 --> 33:25.040]  you work at a private company or a government entity, work to improve your security, your
[33:25.040 --> 33:31.040]  personal security, your enterprise security, whatever the case may be, we need it. Because
[33:31.040 --> 33:36.120]  all of these different elements can be used in a way that they're not supposed to be used. And
[33:36.120 --> 33:43.720]  you just don't know what creative method an attacker is going to use in order to affect
[33:44.440 --> 33:51.680]  the belief system of the country. So really focus on, of course, having good security measures.
[33:51.680 --> 33:57.600]  The second is to work with the government. I know, like, build partnerships with the
[33:57.600 --> 34:04.060]  government. I'm a part of InfraGard. It's the government group for infrastructure security.
[34:04.060 --> 34:08.940]  I think that that's great. It's a great way to share and give back, not just to the community,
[34:08.940 --> 34:14.300]  but also to the government. So I highly recommend just finding different avenues and different
[34:14.300 --> 34:20.000]  partnerships that you can have to make security stronger in the government space, even if you
[34:20.000 --> 34:26.460]  don't work there directly. And also to spread awareness. And then the last one is to work to
[34:26.460 --> 34:32.320]  fight misinformation. Because I think that's a continuous struggle that we all have to consider.
[34:32.320 --> 34:39.420]  And the more that we work at it, the better off we will be inevitably. I mean, it's a lot of work,
[34:39.420 --> 34:48.060]  but that's how it is. I also wrote a white paper on this. Feel free to download. You don't need to
[34:48.060 --> 34:52.860]  put it in email or anything like that. It's totally free if you go to this link. And it
[34:52.860 --> 34:58.120]  elaborates on a lot of what I've talked about here. So feel free to download that. And also
[34:58.120 --> 35:04.660]  message me if you have any questions. I'm happy to help. Thank you so much for attending. I hope
[35:04.660 --> 35:09.280]  you guys have a great rest of DEF CON Red Team Village. And if you have any questions, feel free
[35:09.280 --> 35:15.360]  to reach out. I will respond to all the comments in Discord. And feel free to ask me any questions.
[35:15.360 --> 35:21.700]  HackerBella on Discord. So thank you so much. Awesome. Thank you. Amazing presentation. Thank
[35:21.700 --> 35:28.540]  you so much for supporting us, supporting DEF CON Red Team Village. And again, as we said before,
[35:28.540 --> 35:32.380]  please look at all the talks and activities that are happening right now in the bottom of the
[35:32.380 --> 35:39.320]  screen. You should have a link to our website. We're streaming on Twitch and YouTube and so on.
[35:39.320 --> 35:44.800]  And please, as Ali mentioned, please join the conversation on Discord. We're going to take a
[35:45.700 --> 35:47.960]  small break and the next presenter will be here in about a minute.
